On 7/1/2021 6:10 AM, Vivek Goyal wrote: > On Thu, Jul 01, 2021 at 09:48:33AM +0100, Dr. David Alan Gilbert wrote: >> * Theodore Ts'o (tytso@xxxxxxx) wrote: >>> On Wed, Jun 30, 2021 at 04:01:42PM +0100, Dr. David Alan Gilbert wrote: >>>> Even if you fix symlinks, I don't think it fixes device nodes or >>>> anything else where the permissions bitmap isn't purely used as the >>>> permissions on the inode. >>> I think we're making a mountain out of a molehill. Again, very few >>> people are using quota these days. And if you give someone write >>> access to a 8TB disk, do you really care if they can "steal" 32k worth >>> of space (which is the maximum size of an xattr, enforced by the VFS). >>> >>> OK, but what about character mode devices? First of all, most users >>> don't have access to huge number of devices, but let's assume >>> something absurd. Let's say that a user has write access to *1024* >>> devices. (My /dev has 233 character mode devices, and I have write >>> access to well under a dozen.) >>> >>> An 8TB disk costs about $200. So how much of the "stolen" quota space >>> are we talking about, assuming the user has access to 1024 devices, >>> and the file system actually supports a 32k xattr. >>> >>> 32k * 1024 * $200 / 8TB / (1024*1024*1024) = $0.000763 = 0.0763 cents >>> >>> A 2TB SSD is less around $180, so even if we calculate the prices >>> based on SSD space, we're still talking about a quarter of a penny. >>> >>> Why are we worrying about this? >> I'm not worrying about storage cost, but we would need to define what >> the rules are on who can write and change a user.* xattr on a device >> node. It doesn't feel sane to make it anyone who can write to the >> device; then everyone can start leaving droppings on /dev/null. >> >> The other evilness I can imagine, is if there's a 32k limit on xattrs on >> a node, an evil user could write almost 32k of junk to the node >> and then break the next login that tries to add an acl or breaks the >> next relabel. > I guess 64k is per xattr VFS size limit. > > #define XATTR_SIZE_MAX 65536 > > I just wrote a simple program to write "user.<N>" xattrs of size 1K > each and could easily write 1M xattrs. So that 1G worth data right > there. I did not try to push it further. > > So a user can write lot of data in the form of user.* xattrs on > symlinks and device nodes if were to open it unconditionally. Hence > permission semantics will probably will have to defined properly. > > I am wondering will it be alright if owner of the file (or CAP_FOWNER), > is allowed to write user.* xattrs on symlinks and special files. That would be sensible. That's independent of your xattr mapping scheme. > > Vivek >
